The U.S. continues to lead the world in malware connections and malware hosting — a smart tactical approach for cyber criminals, according to the 2012 Websense Threat Report. The rationale, the web security company explains, is that no one is likely to block a U.S. domain because of the impact on Internet users. And it’s something of a perception bonus for the criminals, who can exploit a sense of trust engendered by the perception that the source is domestic rather than those nasty folk in the Ukraine, Russia etc.
In fact, of course, the gangsters themselves may be thousands of miles away. The predicament was illustrated this week, when Microsoft and U.S. marshals shut down Zeus botnet hosting sites in Illinois and Pennsylvania. But while the complaint describes a number of principals and their roles in Zeus operations, they are all “John Does,” identities and whereabouts unknown, and the possible impact of the law enforcement action uncertain.
Half the malware connections are in the U.S., as are a little over a third of the malware hosts, roughly the same as in 2010. The U.S. is top phishing host as well, about 60%.
Not surprisingly, three of five malicious websites are on legitimate hosts. This has pretty much always been the case in the world of cyber crime. Compromising vulnerable hosts is good business. The host organization is almost always oblivious; the actual criminals are almost impossible to trace, and it is far more cost-efficient than running your own infrastructure. Think of it as sort of an involuntary cloud hosting service for cyber crime.
Some good news, email spam is down from 84% to 74%. Almost all malicious email is a lure, as 92% of these messages contain a URL. The drop in spam may also reflect a trend to exploiting user trust on social media sites, such as Facebook. And, speaking of Facebook, Websense characterizes 43% of the content as streaming media, and criminals, quick to spot trends, are increasingly exploiting users’ appetites for video. So when you take the bait and “watch this gross video,” gross things are being loaded onto your computer in the background.
Websense also notes that contemporary exploit kits, such as the nearly ubiquitous Blackhole kit, the current rage, are highly opportunistic and adaptive. The kit checks for vulnerabilities uses a malware dropper file if it finds one. If none is found, the user is directed to a clean web page, and the kit remains hidden.
(This was one of a number of examples Websense uses in the report to underscore the limits of host AV and push the virtues of web gateway defense, such as theirs. In fairness, web security gateway products and hosted services are becoming a staple in enterprises and smaller businesses. The SaaS option is increasingly popular, as an alternative for SMBs and in a hybrid scenario for enterprises, who may deploy appliances in their HQs, for example, and use hosted services for smaller offices and remote and mobile device users.)
The report is in large part compendium of links to Websense blog postings organized by topic, which actually makes it a somewhat valuable resource for research and review.
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us